The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Open Source Security Foundation (OpenSSF) Software Repository Protection Working Group, announced that it is publishing a new framework for securing package repositories.
called Package repository security principlesThis framework aims to establish a set of ground rules for package managers and further strengthen the open source software ecosystem.
“Package repositories are at a critical point in the open source ecosystem in preventing or mitigating such attacks,” OpenSSF said.
“Even simple actions such as documenting account recovery policies can lead to powerful security improvements. At the same time, package repositories must balance resource constraints and functionality. Many package repositories are It is run by a for-profit organization.”
Specifically, the principles define four security maturity levels for package repositories across four categories: authentication, authorization, general functionality, and command-line interface (CLI) tools.
- level 0 – Very low security maturity.
- level 1 – Has basic security maturity such as multi-factor authentication (MFA) and allows security researchers to report vulnerabilities.
- level 2 – Have moderate security, including actions such as requiring MFA for critical packages and warning users of known security vulnerabilities.
- level 3 – High security by requiring MFA for all maintainers and supporting package build provenance.
All package management ecosystems should operate toward at least Level 1, framework authors Jack Cable and Zach Steindler note.
The ultimate goal is to enable package repositories to self-assess their security maturity and develop plans to strengthen guardrails over time in the form of security improvements.
“Security threats change over time, and so do the security capabilities that address those threats,” OpenSSF said. “Our goal is to help package repositories more quickly deliver the best security features to strengthen the security of their ecosystems.”
This development comes after the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HC3) warned of security risks resulting from the use of open source software for patient record maintenance, inventory management, prescriptions, and billing. It was done.
“While open source software is the foundation of modern software development, it is also often the weakest link in the software supply chain,” the company said in a threat brief published in December 2023.
